[Snort-users] barnyard (Payload)

Alwin Raymundo alrayworld at ...131...
Wed Oct 16 05:47:04 EDT 2002


Hi Martin,

Thank for the info.

I already adjustment my configuration on both snort
and barnyard but showing me an error.
-*> Barnyard! <*-
Version 0.1.0-rc3 (Build 11)
By Andrew R. Baker (andrewb at ...950...)
and Martin Roesch (roesch at ...1935...,
www.snort.org)

Loading Data Processors...
dp_alert loaded
dp_log loaded
dp_stream_stat loaded
Loading Built-in Output Plugins...
Fast Alert plugin initialized
AlertSyslog initialized
Log Dump plugin initialized
LogPcap initialized
AcidDb output plugin initialized
AlertCSV initialized
Parsing Config file: /etc/snort/barnyard.conf
Args: mysql, sensor_id 1, database snort, server
localhost, user usnort, password loghog, detail full
Barnyard Version 0.1.0-rc3 (Build 11) started
No Files found to read.  Exiting
Fatal Error, Quitting..
Exiting

barnyard.conf
output log_acid_db: mysql, sensor_id 1, database
snort, server localhost, user thalium, password
4e770!, detail full

in my snort.conf
output log_unified: filename snort.log, limit 128


and I started by barnyard with
barnyard  -c /etc/snort/barnyard.conf \
    -d /var/log/snort -g /etc/snort/gen-msg.map \
    -s /etc/snort/sid-msg.map -f scan.log

Is there any misconfiguration that I did.  Because
barnyard complaining about "no files found to read".
When I look at my /var/log/snort the file snort.log is
there and existing. Please correct me if I did
misconfiguration.  I appreciate it.

Thanks

Your brother in snort


--- Martin Roesch <roesch at ...1935...> wrote:
> You need to setup log_unified in your snort.conf,
> alert_unified only 
> reports the event data, not the packet logs.
> 
>       -Marty
> 
> On Tuesday, October 15, 2002, at 08:37 AM, Alwin
> Raymundo wrote:
> 
> > Hi Marty,
> >
> > Sorry I'm busy this week and I just open my email.
> >
> > in my snort.conf
> > output aler_unified: filename snort.alert, limit
> 128
> >
> > in barnyard.conf
> > config hostname: snorthost
> > config interface: fxp0
> > config filter: not port 22
> > processor dp_alert
> > processor dp_log
> > processor dp_stream_stat
> > output alert_fast
> > output log_dump
> > output alert_acid_db: mysql, sensor_id 1, database
> > snort, server localhost, user usnort, password
> loghog
> >
> > I'm new with barnyard. Thanks in Advance for your
> > help.
> >
> > Your brother in snort
> >
> > Alwin
> > --- Martin Roesch <roesch at ...1935...> wrote:
> >> Which unified output option are you guys using?
> >>
> >>       -Marty
> >>
> >>
> >> On 10/1/02 8:57 AM, "Alwin Raymundo"
> >> <alrayworld at ...131...> wrote:
> >>
> >>> Hi Ron,
> >>>
> >>> Yap to me the payload is very important.  for my
> >> own
> >>> opinion.  we know that somebody trying to do
> some
> >>> nasty thing to our server but how?
> >>>
> >>> without the payload its look like I shooting in
> >> the
> >>> dark.
> >>>
> >>> Thanks
> >>>
> >>>
> >>> --- Ron Shuck <rshuck at ...6736...> wrote:
> >>>> Hey Alwin,
> >>>>
> >>>> I found the same results. I haven't heard if
> >> there
> >>>> are plans to include
> >>>> this, or if it should work and we just missed
> >>>> something.
> >>>>
> >>>>
> >>>> Ron Shuck, CISSP - Managing Consultant
> >>>> Buchanan Associates - A Technology Company in
> the
> >>>> People Business
> >>>> http://www.buchanan.com
> >>>> http://www.isc2.org
> >>>>
> >>>>
> >>>> ---original message---
> >>>> Date: Mon, 30 Sep 2002 11:36:39 -0700 (PDT)
> >>>> From: Alwin Raymundo <alrayworld at ...131...>
> >>>> To: user snort
> >> <snort-users at lists.sourceforge.net>
> >>>> Subject: [Snort-users] barnyard (Payload)
> >>>>
> >>>> Hi Everybody,
> >>>>
> >>>> I don't know if this is already posted in
> >> previous
> >>>> discussion and this morning I just setup the
> >>>> barnyard.
> >>>>  I like it because it fast to log all packets
> in
> >> my
> >>>> mysql and acid but I notice there is no
> payload.
> >>>>
> >>>> Is this normal? is there in another way to get
> >> the
> >>>> payload?.
> >>>>
> >>>> Any help would be appreciated.
> >>>>
> >>>> Thanks in advance.
> >>>>
> >>>>
> >>>>
> >>>>
> >>>
> >>>> ATTACHMENT part 2 application/x-pkcs7-signature
> >>> name=smime.p7s
> >>>
> >>>
> >>>
> >>> =====
> >>> Alwin Raymundo
> >>>
> >>>
> __________________________________________________
> >>> Do you Yahoo!?
> >>> New DSL Internet Access from SBC & Yahoo!
> >>> http://sbc.yahoo.com
> >>>
> >>>
> >>>
> >>
> >
>
-------------------------------------------------------
> >>> This sf.net email is sponsored by: DEDICATED
> >> SERVERS only $89!
> >>> Linux or FreeBSD, FREE setup, FAST network. Get
> >> your own server
> >>> today at http://www.ServePath.com/indexfm.htm
> >>> _______________________________________________
> >>> Snort-users mailing list
> >>> Snort-users at lists.sourceforge.net
> >>> Go to this URL to change user options or
> >> unsubscribe:
> >>>
> >>
> >
>
https://lists.sourceforge.net/lists/listinfo/snort-users
> >>> Snort-users list archive:
> >>>
> >>
> >
>
http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >>>
> >>>
> >>
> >> -- 
> >> Martin Roesch - Founder/CTO Sourcefire Inc. -
> (410)
> >> 290-1616
> >> Sourcefire: Professional Snort Sensor and
> Management
> >> Console appliances
> >> roesch at ...1935... - http://www.sourcefire.com
> >> Snort: Open Source Network IDS -
> >> http://www.snort.org
> >>
> >>
> >>
> >>
> >
>
-------------------------------------------------------
> >> This sf.net email is sponsored by: DEDICATED
> SERVERS
> >> only $89!
> >> Linux or FreeBSD, FREE setup, FAST network. Get
> your
> >> own server
> >> today at http://www.ServePath.com/indexfm.htm
> >> _______________________________________________
> >> Snort-users mailing list
> >> Snort-users at lists.sourceforge.net
> >> Go to this URL to change user options or
> >> unsubscribe:
> >>
> >
>
https://lists.sourceforge.net/lists/listinfo/snort-users
> >> Snort-users list archive:
> >>
> >
>
http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> >
> > =====
> > Alwin Raymundo
> >
> > __________________________________________________
> > Do you Yahoo!?
> > New DSL Internet Access from SBC & Yahoo!
> > http://sbc.yahoo.com
> >
> >
> -- 
> Martin Roesch - Founder/CTO, Sourcefire Inc. -
> (410)290-1616
> Sourcefire: Snort-based Enterprise Intrusion
> Detection Infrastructure
> 
=== message truncated ===


=====
Alwin Raymundo

__________________________________________________
Do you Yahoo!?
New DSL Internet Access from SBC & Yahoo!
http://sbc.yahoo.com




More information about the Snort-users mailing list